Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
CSRF prevention - AJAX, CORS
Posted by: ethicalhack3r
Date: May 16, 2013 07:48AM

Hi,

In this scenario the client and server are on different domains. The client uses AJAX to communicate with the server's API with the use of CORS.

My initial idea was this:

1. client sends request to server for token (give me a token!)
2. server checks origin (do we trust the client?)
3. replies with token if origin is trusted (yea, ok, send him a token)
4. client sends *real* (user initiated) request with token (add a user and here is my token)
5. server checks token and origin (is the token valid? is the client trusted?)

However, it seems to add no protection for CSRF if the origin header was removed. However, if we remove the token from the above and only rely on the origin header, this has been known to have issues too (https://docs.djangoproject.com/en/1.2/releases/1.2.5/#csrf-exception-for-ajax-requests).

How would you prevent CSRF in this situation?

Thanks,
Ryan

Options: ReplyQuote
Re: CSRF prevention - AJAX, CORS
Posted by: Gareth Heyes
Date: May 17, 2013 09:39AM

Not sure what the problem is here X-Requested-With is a custom header added by Django, it's possible to set a custom header using a redirect and that was bypassed. If you're using origin then it shouldn't be a problem. If origin isn't set then the request won't happen anyway because it's validated by CORS.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: CSRF prevention - AJAX, CORS
Posted by: ethicalhack3r
Date: May 17, 2013 02:59PM

Thanks for the reply, I think my main concern was relying on the origin header for CSRF protection without the use of tokens (or in my example, bad use of token sharing).

Options: ReplyQuote
Re: CSRF prevention - AJAX, CORS
Posted by: Gareth Heyes
Date: May 17, 2013 03:28PM

Ok maybe I'm being stupid but if you verify the origin then how can you be CSRF'd unless it's from the valid server via XHR?

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: CSRF prevention - AJAX, CORS
Posted by: hack2012
Date: June 04, 2013 03:31AM

Good idear , THanks ...

anybody who want's to read more about CSRF:

http://seclab.stanford.edu/websec/csrf/

Chinese version:

http://www.waitalone.cn/csrf-cross-site-request-forgery-defense.html

Options: ReplyQuote


Sorry, only registered users may post in this forum.